Is there any documentation on the format that snort uses when writing
the alert file in "full" IDS mode? I am trying to write a parser for
the alerts, and it would be useful to know.
I understand that each line is (generally) a separate layer in the
packet, but things like RB=ip reserved bit set, and how fragementation
is output would be useful.
Thanks
-Mike